What are two types of NTFS permissions?

Download PDF version [opens new window]

In Windows, permissions are available on every file, folder, registry key, printer and Active Directory object. However, in this article we’ll be concentrating on NTFS file and folder permissions. These permissions are available on NTFS file systems but not on FAT based file systems.

Permissions define what a user can and cannot do with a file or folder. For example, they may be used to allow some users to read a file and disallow others from reading it. They could also be used to stop some users deleting or modifying files etc.

Basic Permissions

There are basic and advanced permissions.

The basic permissions map to one or more advanced permissions. For example, if you set the basic Read permission on a file then it means you have the following advanced permissions: List Folder/Read Data, Read Attributes, Read Extended Attributes and Read Permissions. Basic permissions provide a simpler and less granular way to set permissions. Another way to think of it is that basic permissions are groups of advanced permissions.

Full Control: Users can read, modify, add, move, and delete files, as well as their associated properties and directories. In addition, users can change permissions settings for all files and subdirectories.

Modify: Users can view and modify files and file properties, including deleting and adding files to a directory or file properties to a file.

Read & Execute: Users can run executable files, including scripts.

Read: Users can view files and file properties.

Write: Users can write to a file.

The advanced permissions are:

Traverse Folder/Execute File: For folders: Traverse Folder allows or denies moving through folders to reach other files or folders, even if the user has no permissions for the traversed folders. (Applies to folders only.) Traverse folder takes effect only when the group or user is not granted the Bypass traverse checking user right in the Group Policy snap-in. (By default, the Everyone group is given the Bypass traverse checking user right.) For files: Execute File allows or denies running program files. (Applies to files only). Setting the Traverse Folder permission on a folder does not automatically set the Execute File permission on all files within that folder.

List Folder/Read Data: List Folder allows or denies viewing file names and subfolder names within the folder. List Folder only affects the contents of that folder and does not affect whether the folder you are setting the permission on will be listed. (Applies to folders only.) Read Data allows or denies viewing data in files. (Applies to files only.)

Read Attributes: Allows or denies viewing the attributes of a file or folder, such as read-only and hidden. Attributes are defined by NTFS.

Read Extended Attributes: Allows or denies viewing the extended attributes of a file or folder. Extended attributes are defined by programs and may vary by program.

Create Files/Write Data: Create Files allows or denies creating files within the folder. (Applies to folders only). Write Data allows or denies making changes to the file and overwriting existing content. (Applies to files only.)

Create Folders/Append Data: Create Folders allows or denies creating folders within the folder. (Applies to folders only.) Append Data allows or denies making changes to the end of the file but not changing, deleting, or overwriting existing data. (Applies to files only.)

Write Attributes: Allows or denies changing the attributes of a file or folder, such as read-only or hidden. Attributes are defined by NTFS. The Write Attributes permission does not imply creating or deleting files or folders, it only includes the permission to make changes to the attributes of a file or folder.

Write Extended Attributes: Allows or denies changing the extended attributes of a file or folder. Extended attributes are defined by programs and may vary by program. The Write Extended Attributes permission does not imply creating or deleting files or folders, it only includes the permission to make changes to the extended attributes of a file or folder.

Delete Subfolders and Files: Allows or denies deleting subfolders and files, even if the Delete permission has not been granted on the subfolder or file. (Applies to folders.)

Delete: Allows or denies deleting the file or folder. If you do not have Delete permission on a file or folder, you can still delete it if you have been granted Delete Subfolders and Files on the parent folder.

Read Permissions: Allows or denies reading permissions of the file or folder, such as Full Control, Read, and Write.

Change Permissions: Allows or denies changing permissions of the file or folder, such as Full Control, Read, and Write.

Take Ownership: Allows or denies taking ownership of the file or folder. The owner of a file or folder can always change permissions on it, regardless of any existing permissions that protect the file or folder.

Assigning, Allowing and Denying Permissions

Permissions are assigned explicitly or by inheritance. For example, a file could inherit its permissions from its parent folder. This makes managing permissions simpler as you only need to change one folder’s permission instead of all the files in a folder. You can also set explicit permissions for a file or a folder. For example, a file could still inherit its permissions from its parent folder but you may also want to give extra permissions to a specific user.

You can allow or deny a permission. Deny beats Allow if they are applied on the same file or folder. If the permissions are inherited, then the Allow and Deny work a bit differently. It is based on a hierarchy:

1. Explicit Deny
2. Explicit Allow
3. Inherited Deny
4. Inherited Allow

These are checked, by Windows, from first to last, and once one is matched then that security is used. For example, if the inherited permissions on a file are that you are denied read permission, but you are explicitly given read permission on the file, then that explicit permission overrides the inherited deny permission.

The security applies to both users and groups. Users can be members of one or more groups. For example, you could have a group for accountants, editors, programmers, etc. You can then base your permissions on groups instead of specific users. This makes managing the permissions much simpler as a new employee can simply be added to the appropriate groups. They can then access files and folders based on their group and no permissions need to be changed.

Files and folders have ownership. When a file or folder is created Windows gives Full Control to the owner (the creator of the file or folder). You can change ownership, but the user or group changing the ownership needs the Full Control or Take Ownership permission.

In this article, you will learn the difference between NTFS and Shared folder permissions.

I will also share my best practices for using shared and NTFS permissions on a Windows domain server.

What are Share Permissions?

Share permissions control who can access a folder over the network, and are applied to a shared folder but do not apply to subfolders.

What are NTFS Permissions?

NTFS permissions are a way to control access to data that is stored on the NTFS file system. With NTFS permissions you can control access to local users as well as network users (Active Directory). For example, if you want users in the accounting department to have modified rights to a folder, but all other users should be read-only, you would use NTFS permissions to set the access.

What is the Difference Between NTFS and Shared Permissions?

• Shared permissions are used on the shared folder only (does not apply to subfolders).
• NTFS permissions are used to control access to root and subfolders.
• Share and NTFS permissions are used together to provide access to folders over the network.
• NTFS permissions allow you to apply different permissions to each folder.
• NTFS permissions can apply to both local and network users.

In the diagram below, I have a shared folder called “Share” on a Windows file server. The share permissions I set on the “share” folder only apply to this folder. To change access to the subfolders I would need to use NTFS permissions. With NTFS permissions I can apply different permissions to each folder.

How to View Shared Permissions

Here are the steps to view shared permissions.

Step 1: Right-click the shared folder and select properties

Step 2: Click the “Sharing” tab and then click “Advanced Sharing”

Step 3: Click the “Permissions” button

You should now see a list of users and groups and their permission to the folder.

How to View NTFS Permissions

Viewing NTFS permissions is very similar to shared permissions. Browse to the folder, right-click, and select properties. Now click on the “Security” tab to see the NTFS permissions.

The NTFS permissions will probably have more groups and users listed as it includes local users.

The above method works for checking permissions on a single folder. The problem is that you will often need to check or create a report on all folders. To view permissions on all folders you will need to use a 3rd party tool or create a PowerShell script.

In the example below, I’m using a GUI NTFS Permissions Tool that quickly gets NTFS permissions on all folders.

With this tool, enter or select the shared folder and click run. You will get a report of the NTFS permissions on the root and all subfolders. This tool is very easy to use and saves a lot of time, it also lets you export the report to a CSV file.

NTFS vs Shared Permissions Best Practices

Here are some tips for using NTFS and shared permissions.

Tip #1: Change the default shared permissions.

The default “share permissions” applies to the “everyone” group, which is insecure and should be removed. You should only give share permissions to groups of users that require access.

Tip #2 Don’t assign permissions to individual users.

When assigning permissions, use groups instead of users. This will simplify administration and make it easier to report on who has access to what.

Tip #3 Don’t give users Full Control.

You don’t need to give users full control of a folder. The most rights they will need is Modify. Full control allows users to take ownership of a folder which would allow them to change permissions on the folder.

Tip #4 Use Least Privilege Access.

Give a minimal amount of permissions to users that enable them to do their job. If a user or group needs to just view documents, then don’t give them write or modify access. Giving more access than is needed can lead to weakness in your systems. Take advantage of the granular control that NTFS permissions provide and give only the access that is needed.

Tip #5 Review NTFS and Shared Permissions.

You should review folder permissions at least once a year, sometimes this is required by an audit. The only efficient way to do this is by using PowerShell or an NTFS Permissions Tool as I demonstrated in this guide.

Tip #6 Don’t use the Everyone Group.

Just like share permissions don’t use the Everyone group on NTFS permissions. You might even have some vendor or tech support say to just add the everyone group that will fix it but don’t do it. This is how viruses spread such as ransomware and replicate to other systems on your network.